I got this interesting Tweet this morning from Ken Tindell @kentindell
I decided to check what is this about and expand the message … then LMAO!
David Manouchehri @DaveManouchehri found interesting code in the Allwinner GitHub https://github.com/allwinner-zh/linux-3.4-sunxi
What does this means? If string “rootmydevice” pass through sunxi_debug process it assigns you root privileges.
My first though was who the hell will use the original extracted from Android Linux Kernel 3.4 made by Allwinner which contains binary blobs, when there is completely Free Open Source alternative developed by Linux-Sunxi community?
…and while thinking on it, scrolling down I found this:
some guy decided to try it on his Orange Pi – you see the result, he got root access to the device by simple echo command!
Damn! and this is put with non-conditional flags i.e. embedded always in the kernel you can’t remove it!
If the guys from Allwinner were smart enough they would at least hide this in the binary blobs, so no one could see it!
This is just yet another example what you are exposed to when use kernels which are with binary blobs inside, not speaking of the security quality of the code which Allwinner developers produce!
Fortunately we use Linux-Sunxi community kernel which is 100% open source and no binary blobs!
(well if you want hardware acceleration GPU drivers are still with binary blobs and no one knows what is inside, but this looks like heap of works and no one is interested to liberate them so far).
here is what OLinuXino Kernel responds on the same command:
What does this means? All devices which run Allwinner Linux Kernel 3.4 are subject to this backdoor security flaw and you can easily gain root access on any on them!
olimex 
May 10, 2016 @ 09:14:36
You missed the point. In your sun7i 3.4.103 kernel this specific local privileges escalation is not present since Allwinner introduced it with the sun8i 3.4 kernel variant last year. All details: http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/
So in case you would’ve already prepared OS images for your new H3 devices you might’ve been affected too. And if you still use 3.4.103 on your OS images for A10/A20 boards then I would suspect something’s wrong (since we’re already at 3.4.112 there — mostly security fixes BTW)
May 10, 2016 @ 09:45:39
yes, we are still 3.4.103 as it works and we do not want to touch it, no offence, I appreciate what you do, but we made few attempts to move to newer kernel and always something is broken (for instance freeze after few hours of intensive video play etc, which is hard to catch, but obviously memory leak or something else, for most of our customers 3.4.103 works fine, it supports all our hardware we use and it’s have been tested for many months 24/7 under different loads without problems
May 10, 2016 @ 09:52:45
BTW: You should keep in mind that the kernel tree you’re referring to (‘Linux-Sunxi community kernel which is 100% open source’) contains hardware drivers and stuff taken from Allwinner’s BSP kernel 3.4.39 released a few years ago. So while _this_ specific local privileges escalation is not possible with the sun7i 3.4.103 kernel you use the drivers might hide other unwanted ‘surprises’.
Switching to mainline kernel is the better alternative for most use cases in the meantime. A10/A20 support is pretty good. And according to our download logs Lime/Lime2 users relying on Armbian prefer mainline over 3.4 already 🙂
May 10, 2016 @ 11:58:20
Guess what? The mainline kernel also has privilege escalation bugs getting discovered on a regular basis.
Also some people are in fact interested in rooting their Android devices. So Allwinner might have probably thought that they were doing a good thing for their users 🙂 See https://en.wikipedia.org/wiki/Rooting_(Android_OS)
The users of the Chinese “Pi” clones based on the same A20 SoC can and do run the mainline kernel on their boards too. So the A20 boards from OLIMEX do not have any real advantage at least in the software support. But OLIMEX boards do have their own advantages because they are OSHW compliant, which is definitely a good thing.
May 10, 2016 @ 12:13:35
Sure, I do not argue that every A20 board could run proper software. I’m just puzzled why they decided to run this kernel when there is better alternative!
These “debug” leftovers seems to me more like lazy programmers forgot to clean their code before commit for production than to intentional left backdoors, but who knows.
May 10, 2016 @ 13:39:44
Which ‘better alternative’ are you referring to? The problem only affects Allwinner’s BSP 3.4.x kernel released for H3/A83T last year (not A20 or any other Allwinner device — unfortunately you chose a rather misleading title for this blog post). H3/A83T contain different IP Blocks for many things and linux-sunxi community is still busy writing mainline code for this stuff from scratch.
Until mainline kernel support for H3/A83T isn’t ready there simply has been no alternative if you wanted to run a H3 device a few weeks/months ago. Which kernel sources do you currently use for testing your new H3 based OlinuXinos?
BTW: While it’s a good idea to patch this flaw ASAP I would believe that most affected OS images relying on this kernel (for Orange and Banana Pi) are that insecure by design (sudo without authentication for default user) that it doesn’t matter that much whether the fix is applied or not.
Any news on your H3 boards while we’re already at it? 🙂
Dec 28, 2016 @ 18:02:49
Unable to enter either of your URL’s on my Android. Boots to home, but cannot get a single app running without freezw, followed by ,”app not responding”; then as I hit wait; it cycles round every App with the same result. Find it impossible to get a browser running to enter URL’s. HELP!! what do I do? AllWinner 9″ A13 ARM. Andr 4.2.2. Silvery (78) surfer.
Aug 02, 2017 @ 21:45:37
Got over the problem when I found the ‘factory reset’ utility in the settings. OK I lost all the apps & data, but that was soon corrected by reloading the ones I really wanted. Also instolled Android 4.2.2 repair app which is useful.
Mar 18, 2017 @ 19:35:53
Hey i tried this on Vox v102 and got some error. Can you help me?
Aug 10, 2020 @ 19:40:21
i HAVE ONE QUESTION. hOW TO RESET THIS DEVICE PROTECTED BY PASSWORD?